CVE-2026-2880
CriticalSummary
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware. When Fastify router normalization options are enabled, crafted request paths may bypass middleware checks.
Risk Assessment
Organizations may be exposed to unauthorized access to protected resources, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade @fastify/middie to version 9.2.0 or later to mitigate this vulnerability.
Original NVD description (English source)
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

